CVE-2025-31978
MediumCVSS 4.6Exploitation Probability (EPSS)
Low risk3th percentile - higher than 3% of all known CVEs
Summary
HCL BigFix Service Management (SM) does not adequately sanitize or safely render spreadsheet files (CSV, XLS, XLSX) before processing or distributing them. An attacker could populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software.
Risk Assessment
The risk involves potential exfiltration of sensitive organizational data or execution of unauthorized actions on user workstations if a malicious CSV file is opened in spreadsheet software without proper safeguards.
Recommendation
It is recommended to immediately update HCL BigFix Service Management to the latest patched version and enforce policies that block automatic execution of macros in spreadsheet applications.
Original NVD description (English source)
HCL BigFix Service Management (SM) does not adequately sanitize or safely render spreadsheet files (CSV, XLS, XLSX) before processing or distributing them. An attacker could populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content.

